Ports
The following tables describe network ports that must be opened to ensure proper communication of components in the Veeam Agent management infrastructure.
Communication Between Veeam Backup & Replication Components
For general requirements for ports that must be opened to ensure proper communication of the backup server with backup infrastructure components, see the Ports section in the Veeam Backup & Replication User Guide.
For general requirements for ports that must be opened to ensure proper communication of the backup server with Veeam Cloud Connect infrastructure components, see the Ports section in the Veeam Cloud Connect Guide.
In addition to general port requirements applicable to a backup server, the following network ports that must be opened to enable proper communication between Veeam Backup & Replication components.
From | To | Protocol | Port | Notes |
---|---|---|---|---|
Veeam Backup Server | Veeam Agent Computer (Microsoft Windows) | TCP | 6184+ | Default port used for communication with the Veeam Agent for Microsoft Windows Service. If port 6184 is already in use, Veeam Agent for Microsoft Windows Service tries to use the next port number in the allocated range (6184 to 6194). Once the service takes the next available port, it makes it the default port for all subsequent connections. |
TCP | 135, | Default ports used for communication with the Veeam Installer Service. Port 135 is used for WMI queries. WMI queries are mandatory to back up failover clusters and perform file-level restore and optional to provide faster Veeam Agent deployment. Ports 137 to 139 are used by backup infrastructure components to communicate using NetBIOS if you use NetBIOS in your infrastructure. Ports 137 to 139 and 445 are used in the following cases:
Ports 6160 and 11731 are used to deploy Veeam Agent on the computer and to perform restore. If the backup repository server role and the mount server role are assigned to different servers in your infrastructure, you must open ports described in the Mount Server Connections section in the Veeam Backup & Replication User Guide. | ||
TCP | 2500 to 3300 | [For Microsoft SQL logs shipping] Ports used to collect Microsoft SQL logs from the Veeam Agent computer. | ||
TCP | 6167, | [For Microsoft SQL logs shipping] Ports used to collect Microsoft SQL logs from the Veeam Agent computer operating as part of a failover cluster with SQL Server Always On Availability Groups. | ||
TCP | 6160, | Port used for the volume-level restore. | ||
TCP | 6162 | Default port used by the Veeam Data Mover. | ||
Veeam Agent Computer (Linux) | TCP | 22, | Port 22 is used to establish an SSH connection from the Veeam Backup Server to the Veeam Agent computer. Ports 6160 and 6162 are used for default connection to the Veeam Agent computer using Veeam Deployer Service and Veeam Transport Service. Note: You can customize ports 6160 and 6162 using registry keys. To learn more, see this Veeam KB article. | |
TCP | 6162 | Default port used by the Veeam Data Mover. Note You can customize port 6162 using registry keys. To learn more, see this Veeam KB article. | ||
TCP | 2500 to 3300 | Default range of ports used for communication between Veeam Agent components during data transmission. For every TCP connection that a backup job uses, one port from this range is assigned. | ||
Veeam Agent Computer (Unix) | TCP | 22 | Port 22 is used to establish an SSH connection from the Veeam Backup Server to the Veeam Agent computer. | |
TCP | 2500 to 3300 | Default range of ports used for communication between Veeam Agent components during data transmission. For every TCP connection that a backup job uses, one port from this range is assigned. | ||
Distribution Server | TCP | 135, | Ports on a Microsoft Windows server used for deploying the Distribution Server component. Port 135 is optional. This port is used to provide faster Veeam Agent deployment. Ports 137 to 139 are used by backup infrastructure components to communicate using NetBIOS if you use NetBIOS in your infrastructure. Ports 6160 and 11731 are used by the Veeam Installer Service. These ports together with port 445 are mandatory to deploy the Distribution Server component. Note You can customize port 6160 using registry keys. To learn more, see this Veeam KB article. | |
TCP | 49152 to 65535 | Dynamic RPC port range. For more information, see this Microsoft KB article. | ||
TCP | 9380 | Default port used for communication with the Veeam Distribution Service. | ||
Distribution Server | Veeam Agent Computer (Microsoft Windows) | TCP | 49152 to 65535 | Dynamic RPC port range. For more information, see this Microsoft KB article. The port range is required for communication with the Veeam Installer Service. |
TCP | 6160, | Ports on the Veeam Agent computer used for deploying Veeam Agent. | ||
Veeam Agent Computer (Linux) | TCP | 22, | Port 22 is used to establish an SSH connection for Veeam Agent packages transmission and deployment control. After Veeam Agent is deployed, ports 6160 and 6162 are used for default connection to Veeam Agent computer using Veeam Deployer Service and Veeam Transport Service. Note: You can customize ports 6160 and 6162 using registry keys. To learn more, see this Veeam KB article. | |
Veeam Agent Computer (Unix) | TCP | 22 | Port 22 is used to establish an SSH connection for Veeam Agent packages transmission and deployment control. | |
Veeam Agent Computer (Microsoft Windows) | Veeam Backup Server | TCP | 10005 | Default port used by Veeam Agent for Microsoft Windows operating in the managed mode for communication with the Veeam Backup server. Data between the Veeam Agent computer and backup repositories is transferred directly, bypassing Veeam backup servers. |
TCP | 10001 | Port used by Veeam Agent for direct connection to the Veeam backup server using credentials. For example, during bare metal restore from a backup created by Veeam Agent operating in the managed mode. | ||
TCP | 2500 to 3300 | Default range of ports used to publish the ransomware index. For every TCP connection that a backup job uses, one port from this range is assigned. | ||
Veeam Agent Computer (Linux) | Veeam Backup Server | TCP | 10002, 10006 | Default ports used for communication with the Veeam Backup server. Data between the Veeam Agent computer and backup repositories is transferred directly, bypassing Veeam backup servers. |
TCP | 6160, | Default ports used by Veeam Deployer Service (6160) and Veeam Transport Service (6162) for communication between Veeam Agent computer and Veeam backup server. Note: You can change the default ports 6160 and 6162 in the respective services' configuration files. To learn more, see this Veeam KB article. | ||
Veeam Agent Computer (Unix, macOS) | Veeam Backup Server | TCP | 10006 | Default port used for communication with the Veeam Backup server. Data between the Veeam Agent computer and backup repositories is transferred directly, bypassing Veeam backup servers. |
Communication Between Veeam Agent Components
The following table describes network ports that must be opened to enable proper communication between Veeam Agent components.
From | To | Protocol | Port | Notes |
---|---|---|---|---|
Veeam Agent Computer (Microsoft Windows) | Veeam Agent Computer (Microsoft Windows) | TCP | 9395+, 6183+ | Ports used locally on the Veeam Agent computer for communication between Veeam Agent components and Veeam Agent for Microsoft Windows Service. If port 9395 or 6183 is already in use, Veeam Agent for Microsoft Windows Service will try to use the next port number. |
Veeam Agent Computer (Linux, Unix, macOS) | Veeam Agent Computer (Linux, Unix, macOS) | TCP | 2500 to 3300 | Default range of ports used locally for communication between Veeam Agent components during data transmission. For every TCP connection that a backup job uses, one port from this range is assigned. |
Communication with Veeam Backup Repositories
The following table describes network ports that must be opened to ensure proper communication between Veeam Agent and Veeam backup repositories.
From | To | Protocol | Port | Notes |
---|---|---|---|---|
Veeam Agent Computer | Linux server performing the role of a backup repository | TCP | 2500 to 3300 | Default range of ports used as data transmission channels. For every TCP connection that a job uses, one port from this range is assigned. |
Microsoft Windows server performing the role of a backup repository | TCP | 49152 to 65535 | Dynamic RPC port range. For more information, see this Microsoft KB article. | |
TCP | 2500 to 3300 | Default range of ports used as data transmission channels. For every TCP connection that a job uses, one port from this range is assigned. | ||
Shared folder SMB (CIFS) share | TCP | 137 to 139, | Ports used as a transmission channel from the Veeam Agent computer to the target SMB (CIFS) share. Ports 137 to 139 are used by backup infrastructure components to communicate using NetBIOS if you use NetBIOS in your infrastructure. | |
Gateway Microsoft Windows server | TCP | 137 to 139, | If an SMB (CIFS) share is used as a backup repository and a Microsoft Windows server is selected as a gateway server for this CIFS share, these ports must be opened on the gateway Microsoft Windows server. Ports 137 to 139 are used by backup infrastructure components to communicate using NetBIOS if you use NetBIOS in your infrastructure. | |
TCP | 49152 to 65535 | Dynamic RPC port range. For more information, see this Microsoft KB article. | ||
TCP | 2500 to 3300 | Default range of ports used as data transmission channels. For every TCP connection that a job uses, one port from this range is assigned. |
Communication with Veeam Cloud Connect Repositories
The following table describes network ports that must be opened to ensure proper communication between Veeam Agents and Veeam Cloud Connect repositories.
From | To | Protocol | Port | Notes |
---|---|---|---|---|
Veeam Agent Computer (Microsoft Windows, Linux, macOS) | Cloud gateway | TCP | 6180 | Port on the cloud gateway used to transport Veeam Agent data to the Veeam Cloud Connect repository. |
Certificate Revocation Lists | TCP | 80 or 443 (most popular) | Veeam Agent computer needs access to CRLs (Certificate Revocation Lists) of the CA (Certification Authority) who issued a certificate to the Veeam Cloud Connect service provider. Generally, information about CRL locations can be found on the CA website. |
Communication with Object Storage
The following table describes network ports that must be opened to ensure proper communication with object storage if you back up data to object storage that Veeam Agent accesses directly. For more information about object storage connection modes, see Backup to Object Storage.
From | To | Protocol | Port | Notes |
---|---|---|---|---|
Gateway server or backup server | Amazon S3 object storage | TCP | 443 | Used to communicate with the Amazon S3 object storage through the following endpoints:
All AWS service endpoints are specified in the AWS documentation. |
80 | Used to verify the certificate status through the following endpoints:
Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself. | |||
Microsoft Azure object storage | TCP | 443 | Used to communicate with the Microsoft Azure object storage through the following endpoints:
Consider that the <xxx> part of the address must be replaced with your actual storage account URL that can be found in the Azure management portal. | |
80 | Used to verify the certificate status through the following endpoints:
Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself. For more details, see also Microsoft documentation. | |||
Google Cloud storage | TCP | 443 | Used to communicate with Google Cloud storage through the following endpoints:
All cloud endpoints are specified in this Google article. | |
80 | Used to verify the certificate status through the following endpoints:
Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself. | |||
IBM Cloud object storage | TCP | Depends on device configuration | Used to communicate with IBM Cloud object storage. | |
S3 compatible object storage | TCP | Depends on device configuration | Used to communicate with S3 compatible object storage. | |
Veeam Data Cloud Vault storage | TCP | 443 | Used to communicate with the Veeam Data Cloud Vault storage through the xxx.blob.core.windows.net endpoint. |
Communication with Cloud Machines
The following table describes network ports that must be opened to ensure proper communication between Veeam Backup & Replication and Veeam Agents installed on Amazon EC2 instances or Microsoft Azure virtual machines (both objects can be also referred to as cloud machines).
From | To | Protocol | Port/Endpoint | Notes |
---|---|---|---|---|
Veeam Backup & Replication, | Amazon cloud | TCP | 443 | Port and endpoints used for communication from Veeam Backup & Replication and Amazon EC2 instance to the Amazon cloud where the instance is located. |
HTTPS | AWS service endpoints:
A complete list of connection endpoints can be found in AWS Documentation. | |||
TCP | 80 | Port and endpoints used to verify the certificate status. Keep in mind that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself. | ||
HTTP | Certificate verification endpoints:
| |||
Veeam Backup & Replication, Microsoft Azure virtual machine with Veeam Agent | Microsoft Azure cloud | TCP | 443 | Port and endpoints used for communication from Veeam Backup & Replication and Microsoft Azure virtual machine to the Microsoft Azure cloud where the virtual machine is located. Keep in mind that the <xxx> part of the address must be replaced with your actual storage account URL, which can be found in the Azure management portal. |
HTTPS | Global region endpoints:
China region endpoints:
Government region endpoints:
| |||
TCP | 80 | Port and endpoints used to verify the certificate status. Keep in mind that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself. | ||
HTTP | Certificate verification endpoints:
|
Communication with 3rd Party Components
The following table describes network ports that must be opened to ensure proper communication between Veeam backup server and 3rd party infrastructure components.
From | To | Protocol | Port | Notes |
---|---|---|---|---|
Backup server
| Microsoft Active Directory | TCP | 389 | LDAP connections. |
TCP | 636 | LDAPS (Secure LDAP) connections. | ||
DNS server with forward/reverse name resolution of all backup servers | UDP | 53 | Port used for communication with the DNS Server. |